3 Answers
3

Today at Black Hat [2012] we are announcing a new research project on protocol-level evasion of web application firewalls. This type of evasion focuses on the low level operation of WAFs, aiming to exploit little differences in how WAFs see traffic and how backend web servers and applications see it. If you get the WAF to see something different from what the backend is seeing, you have an evasion opportunity that could possibly be used to execute any attack type, without detection.
[...]
Attached to this post is our research paper that focuses on request path, parameter, and multipart/form-data evasion. Also attached are the Black Hat talk slides that introduce the research. The testing suite (a sort of a research toolkit) is in the IronBee WAF Research repository on GitHub.

It can be difficult to predict how a WAF will inspect traffic because WAF rules and methods are not standardized and work so high up the stack. Basically, you are looking for weaknesses in detection and/or to make it as difficult as possible for a WAF to properly interpret the communication sent to the target.